make session encryption optional

This commit is contained in:
Roland Gruber 2014-01-12 11:08:43 +00:00
parent 14a619989e
commit 750a118884
6 changed files with 36 additions and 7 deletions

View File

@ -996,6 +996,13 @@ Have fun!
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
access LAM via an untrusted IP only get blank pages.</para>
<para id="sessionEncryption">Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when
PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
adds extra security but also costs performance. If you manage a large
directory you might want to disable this and take other actions to
secure your LAM server.</para>
<screenshot>
<mediaobject>
<imageobject>
@ -8885,8 +8892,9 @@ objectclass: top
<para><emphasis role="bold">Disable session
encryption</emphasis></para>
<para>LAM encrypts sensitive data in your session files. You can
prevent this by disabling the PHP MCrypt module (if installed).</para>
<para>LAM encrypts sensitive data in your session files. You can <link
linkend="sessionEncryption">disable</link> it to reduce CPU
load.</para>
</section>
</section>
</appendix>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 18 KiB

View File

@ -155,6 +155,8 @@ $helpArray = array (
"Text" => _('Please change this setting only if you experience problems in receiving emails from LAM. This defines the line ending of emails.')),
"244" => array ("Headline" => _('PHP error reporting'),
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
"245" => array ("Headline" => _('Encrypt session'),
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
"250" => array ("Headline" => _("Filter"),
"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
"260" => array ("Headline" => _("Additional LDAP filter"),

View File

@ -1400,6 +1400,9 @@ class LAMCfgMain {
/** list of hosts which may access LAM */
public $allowedHosts;
/** session encryption */
public $encryptSession;
/** minimum length for passwords */
public $passwordMinLength = 0;
@ -1437,7 +1440,8 @@ class LAMCfgMain {
private $settings = array("password", "default", "sessionTimeout",
"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting');
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
'encryptSession');
/**
* Loads preferences from config file
@ -1449,6 +1453,7 @@ class LAMCfgMain {
$this->logLevel = LOG_NOTICE;
$this->logDestination = "SYSLOG";
$this->allowedHosts = "";
$this->encryptSession = 'true';
$this->reload();
}
@ -1516,6 +1521,7 @@ class LAMCfgMain {
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);
if (!in_array("passwordMinLower", $saved)) array_push($file_array, "\n\n# Password: minimum lowercase characters\n" . "passwordMinLower: " . $this->passwordMinLower);

View File

@ -104,6 +104,14 @@ if (isset($_POST['submitFormData'])) {
}
else $allowedHosts = "";
$cfg->allowedHosts = $allowedHosts;
// set session encryption
if (function_exists('mcrypt_create_iv')) {
$encryptSession = 'false';
if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
$encryptSession = 'true';
}
$cfg->encryptSession = $encryptSession;
}
// set log level
$cfg->logLevel = $_POST['logLevel'];
// set log destination
@ -263,6 +271,10 @@ $securityTable = new htmlTable();
$options = array(5, 10, 20, 30, 60, 90, 120, 240);
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
$encryptSession = ($cfg->encryptSession === 'true');
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
$securityTable->addElement($encryptSessionBox, true);
// SSL certificate
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
$sslMethod = _('use system certificates');

View File

@ -125,14 +125,15 @@ $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <me
/**
* Displays the login window.
*
* @param object $config_object current active configuration
* @param LAMConfig $config_object current active configuration
* @param LAMCfgMain $cfgMain main configuration
*/
function display_LoginPage($config_object) {
function display_LoginPage($config_object, $cfgMain) {
logNewMessage(LOG_DEBUG, "Display login page");
global $error_message;
// generate 256 bit key and initialization vector for user/passwd-encryption
// check if we can use /dev/urandom otherwise use rand()
if(function_exists('mcrypt_create_iv')) {
if(function_exists('mcrypt_create_iv') && ($cfgMain->encryptSession == 'true')) {
$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
if (! $key) {
srand((double)microtime()*1234567);
@ -651,5 +652,5 @@ if(!empty($_POST['checklogin'])) {
}
//displays the login window
display_LoginPage($_SESSION["config"]);
display_LoginPage($_SESSION["config"], $_SESSION["cfgMain"]);
?>